minimal-minimal

OSX/PWS-Corpref

OSX/PWS-Corpref

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Macintosh
  • Protection Added: 2008-06-26

OSX/PWS-Corpref is a password stealing trojan that targets Apple Macintosh OS X users that masquerade to be a poker game program.

 


Minimum Engine

5400.1158

File Length

Varies

Description Added

2008-06-26

Description Modified

2008-06-26

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

OSX/PWS-Corpref is a password stealing trojan that targets Apple Macintosh OS X (MacOS X) users that masquerade to be a poker game program.

When run, it executes AppleScript to display a message to report a "corruption" in the program and prompts the user for the administrator password to "fix" it. In MacOS X, it is typical for the user to be asked for a password to perform any administrator tasks.

146310-2

The trojan verifies the password by running the "id" system command to verify it has the administrator user ID. When unsuccessful, it prompts the user to enter the right password:

146310-3

When successful, OSX/PWS-Corpref can modify system files and configurations with administrator (sudo) permissions. One of the following files can be changed to enable remote login service (SSH) on the infected MacOS X machine:

  • /System/Library/LaunchDaemons/ssh.plist (MacOS X 10.4 and 10.5)
  • /private/etc/xinetd.d/ssh (MacOS X 10.3)
  • /etc/hostconfig (MacOS X 10.2)

It follows that the password hashes are dumped into a file which is sent via e-mail to the malware author along with the user name, password and IP address using the following web server:

  • hxxp://psid{blocked}.com/mailer/{blocked}.php

 

 

 

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This trojan masquerades as a poker game program for Apple MacOS X, to entice users into running it.
  • Unexpected network connections to the mentioned website(s).
  • Unexpected enabling of the remote login (SSH) service.
  • Presence of the mentioned dialog messages.
  • Presence of the PokerGame program with the below characteristics:

 

146310-1